By AJ Dumanhug, CEO, Secuna
The Philippine Red Cross (PRC) reported early this year that it has conducted over 5 Million RT-PCR tests, accounting for about 20% of the national test output in its 14 molecular laboratories nationwide, driven in part by its tech providers.
This robust performance significantly helped “drain the swamp” as PRC was able to institutionalize the use of the electronic Case Investigation Forms (e-CIFs) through Dashlabs.ai. This enabled patients to fill out a single form by simply scanning a QR code with their smartphones or computers without leaving their homes.
Although it’s effective and convenient, the increased use of technology in healthcare as such is not without its risks. Processing large volumes of patient information every day is not just time-consuming, but also makes health tech providers vulnerable to cybersecurity threats.
Medical professionals had to rely heavily on services provided by health tech firms to reduce the time they take to make life-saving decisions, but this also reduces the time for bad actors to hack into their system and steal information.
Real Risks
Healthcare is a particularly attractive target for cybercriminals because of the data providers collect and process. Millions of health records are compromised every year, seeing how extremely sensitive electronic protected health information (ePHI) is handled by almost every clinic and hospital in various digital systems.
Ransomware attacks, malware, and hackers target vulnerabilities in medical software to access electronic health records (EHRs) to steal and sell patient information on the dark web for hundreds of US dollars per data.
In a May report, cybersecurity firm Secuna announced that it found 494 vulnerabilities across 21 private local firms last year and 15.78% are medium, high, or critical-risk vulnerabilities that affected the healthcare sector.
Already weighed down by cyber threats, healthcare institutions and their tech providers also have to balance providing quality care and complying with privacy regulations. It makes it harder to implement security measures, and cybercriminals rush to take advantage of it.
Foremost among the risks is a data breach by way of phishing. Links or attachments in phishing emails, social media, or text messages infect computer systems with malware that often spreads over the clinical network. Patient names, birth dates, email addresses, home addresses, lab reports, diagnosis information, medical procedure details, insurance policy numbers, and details of attending physicians are information that could potentially be exposed and exploited by attackers.
It is without question that the rising cyber-attacks in healthcare can be a matter of life or death for patients.
What could be done?
Healthcare leaders are not tech professionals, let alone cybersecurity experts. Considering that we’re not yet out of the woods in the fight against the pandemic, they are focused rightly on the ways technology can improve the work of medical professionals and health outcomes for their patients. They are understandably less conscious of cybersecurity risks that come with it.
In almost every case, healthcare leaders are reliant on outsourced support to ensure their technology is secure and performing optimally. Some of them lack an in-house cybersecurity workforce to assist them in strengthening their security posture.
A proactive approach to information protection is creating an action plan with regular vulnerability assessment and penetration testing. Regularly assessing risks is not a concession to cybersecurity requirements but the only reasonable choice.
Likewise, implementing bug bounty and vulnerability disclosure programs opens up a channel to the existing community of about 4,000 ethical hackers in the country to detect cybersecurity holes, enabling health institutions, clinics, and tech providers to respond and prevent threats and consequences.
Cybersecurity is a long-term task, and we need more specialized human capital to comprehend and tackle these critical issues. Healthcare and health tech providers just need to take advantage of cybersecurity programs that are already available so they can focus on using technology to help medical professionals provide improved healthcare to their patients.